lib: Pulling in new error messages when file cannot be opened securely #578
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| name: CI for meson build | |
| on: | |
| push: | |
| branches: [ develop, master, release/*, feature/*, hotfix/* ] | |
| tags: [ v*, test-ci* ] | |
| pull_request: | |
| branches: [ develop ] | |
| jobs: | |
| build: | |
| name: ${{ matrix.config.name }} | |
| runs-on: ${{ matrix.config.os }} | |
| container: ${{ matrix.config.image }} | |
| strategy: | |
| fail-fast: false # so that if one config fails, other won't be cancelled automatically | |
| matrix: | |
| config: | |
| - { | |
| name: "Windows MSVC x64", | |
| os: windows-latest, | |
| cc: "cl.exe", | |
| cxx: "cl.exe", | |
| arch: "x64", | |
| publish_release: true, | |
| meson_opts: "-Db_vscrt=static_from_buildtype", | |
| release_name: "win-x64", | |
| release_extension: ".zip", | |
| archive_command: "7z a -tzip -mmt" | |
| } | |
| - { | |
| name: "Windows MSVC x86", | |
| os: windows-latest, | |
| cc: "cl.exe", | |
| cxx: "cl.exe", | |
| arch: "x64_x86", | |
| publish_release: true, | |
| meson_opts: "-Db_vscrt=static_from_buildtype", | |
| release_name: "win-x86", | |
| release_extension: ".zip", | |
| archive_command: "7z a -tzip -mmt" | |
| } | |
| - { | |
| name: "Windows MSVC ARM64", | |
| os: windows-latest, | |
| cc: "cl.exe", | |
| cxx: "cl.exe", | |
| arch: "x64_arm64", | |
| publish_release: true, | |
| meson_opts: "-Db_vscrt=static_from_buildtype --cross-file=./meson_crosscompile/msvc_arm64.txt", | |
| release_name: "win-ARM64", | |
| release_extension: ".zip", | |
| archive_command: "7z a -tzip -mmt" | |
| } | |
| - { | |
| name: "Windows GCC", | |
| os: windows-latest, | |
| cc: "gcc.exe", | |
| cxx: "g++.exe", | |
| release_name: "win-x86_64-gcc", | |
| release_extension: ".zip", | |
| archive_command: "7z a -tzip -mmt" | |
| } | |
| - { | |
| name: "Windows Clang", | |
| os: windows-latest, | |
| cc: "clang.exe", | |
| cxx: "clang++.exe", | |
| meson_opts: "--native-file=./meson_crosscompile/Windows-Clang.txt", | |
| release_name: "win-x86_64-clang", | |
| release_extension: ".zip", | |
| archive_command: "7z a -tzip -mmt" | |
| } | |
| - { | |
| name: "Ubuntu GCC", | |
| os: ubuntu-latest, | |
| cc: "gcc", | |
| cxx: "g++", | |
| release_name: "linux-x86_64-gcc", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "Ubuntu Clang", | |
| os: ubuntu-latest, | |
| cc: "clang", | |
| cxx: "clang++", | |
| release_name: "linux-x86_64", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile x86_64", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| create_package: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/x86_64-linux-musl-cross.txt", | |
| cross_compiler_arch: "x86_64", | |
| release_name: "linux-x86_64-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile i686", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/i686-linux-musl-cross.txt", | |
| cross_compiler_arch: "i686", | |
| release_name: "linux-i686-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile aarch64", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/aarch64-linux-musl-cross.txt", | |
| cross_compiler_arch: "aarch64", | |
| release_name: "linux-aarch64-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile armv7l", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/armv7l-linux-musl-cross.txt", | |
| cross_compiler_arch: "armv7l", | |
| release_name: "linux-armv7l-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile armv6", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/armv6-linux-musl-cross.txt", | |
| cross_compiler_arch: "armv6", | |
| release_name: "linux-armv6-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile armv5l", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/armv5l-linux-musl-cross.txt", | |
| cross_compiler_arch: "armv5l", | |
| release_name: "linux-armv5l-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile powerpc64", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/powerpc64-linux-musl-cross.txt", | |
| cross_compiler_arch: "powerpc64", | |
| release_name: "linux-powerpc64-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| - { | |
| name: "MUSL Cross Compile powerpc64le", | |
| os: ubuntu-latest, | |
| cc: "", | |
| cxx: "", | |
| publish_release: true, | |
| meson_opts: "--cross-file=./meson_crosscompile/powerpc64le-linux-musl-cross.txt", | |
| cross_compiler_arch: "powerpc64le", | |
| release_name: "linux-powerpc64le-portable", | |
| release_extension: ".tar.xz", | |
| archive_command: "tar cvfJ" | |
| } | |
| outputs: #where hashes need to be stored for slsa provenance | |
| #NOTE: Only doing this for builds with "publish_release: true" | |
| #format is hash-${{release_name}} for the zipped packages | |
| # | |
| hash-win-x64: ${{ steps.hash.outputs.hash-win-x64 }} | |
| hash-win-x86: ${{ steps.hash.outputs.hash-win-x86 }} | |
| hash-win-ARM64: ${{ steps.hash.outputs.hash-win-ARM64 }} | |
| hash-linux-x86_64-portable: ${{ steps.hash.outputs.hash-linux-x86_64-portable }} | |
| hash-linux-i686-portable: ${{ steps.hash.outputs.hash-linux-i686-portable }} | |
| hash-linux-aarch64-portable: ${{ steps.hash.outputs.hash-linux-aarch64-portable }} | |
| hash-linux-armv7l-portable: ${{ steps.hash.outputs.hash-linux-armv7l-portable }} | |
| hash-linux-armv6-portable: ${{ steps.hash.outputs.hash-linux-armv6-portable }} | |
| hash-linux-armv5l-portable: ${{ steps.hash.outputs.hash-linux-armv5l-portable }} | |
| hash-linux-powerpc64-portable: ${{ steps.hash.outputs.hash-linux-powerpc64-portable }} | |
| hash-linux-powerpc64le-portable: ${{ steps.hash.outputs.hash-linux-powerpc64le-portable }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Settings vars for MSVC | |
| if: startsWith(matrix.config.name, 'Windows MSVC') | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| with: | |
| arch: ${{ matrix.config.arch }} | |
| - name: Setup for MUSL Cross Compilation | |
| if: startsWith(matrix.config.name, 'MUSL Cross Compile') | |
| run: | | |
| sudo ./meson_crosscompile/install-muslcc.sh -a ${{ matrix.config.cross_compiler_arch }} | |
| - name: Get latest LLVM version | |
| if: startsWith(matrix.config.name, 'Windows Clang') | |
| run: | | |
| $headers = @{ Authorization = 'Bearer ${{ secrets.GITHUB_TOKEN }}' } | |
| $latestRelease = Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases/latest' | |
| $releaseData = $latestRelease.Content | ConvertFrom-Json | |
| $assets = $releaseData.assets | Where-Object { $_.name -like "*win64.exe" } | |
| if ($assets) { | |
| $downloadUrl = $assets.browser_download_url | |
| echo "LLVM_RELID=$($releaseData.id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
| echo "LLVM_DOWNLOAD_URL=$downloadUrl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
| } else { | |
| Write-Host "No current Windows build available for the latest release. Searching for previous releases..." | |
| $releases = Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases' | |
| $found = $false | |
| foreach ($release in $releases.Content | ConvertFrom-Json) { | |
| $assets = $release.assets | Where-Object { $_.name -like "*win64.exe" } | |
| if ($assets) { | |
| $downloadUrl = $assets.browser_download_url | |
| echo "LLVM_RELID=$($release.id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
| echo "LLVM_DOWNLOAD_URL=$downloadUrl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
| $found = $true | |
| break | |
| } | |
| } | |
| if (-not $found) { | |
| Write-Host "No Windows build available for any recent releases." | |
| exit 0 | |
| } | |
| } | |
| - name: Restore LLVM from cache | |
| if: startsWith(matrix.config.name, 'Windows Clang') | |
| id: llvm-cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: C:/Program Files/LLVM | |
| key: 'llvm-llvm-project-relid-${{ env.LLVM_RELID }}' | |
| - name: Downloading latest clang for Windows | |
| if: ${{ steps.llvm-cache.outputs.cache-hit != 'true' && startsWith(matrix.config.name, 'Windows Clang') }} | |
| run: | | |
| $headers = @{ Authorization = 'Bearer ${{ secrets.GITHUB_TOKEN }}' } | |
| Invoke-WebRequest -Headers $headers -OutFile "LLVM.exe" ((Invoke-WebRequest -Headers $headers "https://api.github.com/repos/llvm/llvm-project/releases/$($env:LLVM_RELID)").Content | ConvertFrom-Json | Select-Object -ExpandProperty assets | Where -Property name -Like "*win64.exe" | Select-Object -First 1).browser_download_url | |
| 7z x LLVM.exe -y -o"C:/Program Files/LLVM" | |
| - name: Escape backslash in branch name | |
| shell: bash | |
| run: echo "BRANCH_NAME=$(echo ${{ github.ref_name }} | tr / -)" >> $GITHUB_ENV | |
| - name: Setting release name | |
| env: | |
| DESTDIR: ${{ format('openSeaChest-{0}-{1}', env.BRANCH_NAME, matrix.config.release_name) }} | |
| run: | | |
| echo "DESTDIR=${DESTDIR}" >> $GITHUB_ENV | |
| shell: bash | |
| - name: Configuring and compiling with meson | |
| env: | |
| CC: ${{ matrix.config.cc }} | |
| CXX: ${{ matrix.config.cxx }} | |
| run: | | |
| pip install meson ninja | |
| meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release | |
| meson install -C build | |
| # add `GOBIN` to the `PATH` otherwise nfpm in next step can't be found | |
| - uses: actions/setup-go@v5 | |
| if: ${{ matrix.config.create_package }} | |
| with: | |
| go-version: 'stable' | |
| cache: false | |
| - name: Create packages | |
| if: ${{ matrix.config.create_package }} | |
| working-directory: ${{ format('build/{0}', env.DESTDIR) }} | |
| run: | # https://nfpm.goreleaser.com/install/ | |
| go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.36.1 | |
| if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9\.]+$ ]]; then | |
| version=$(echo ${{ github.ref_name }} | tr -d 'v') | |
| else | |
| version=$(printf "%s-dev" $(date +'%y.%m.%d')) | |
| fi | |
| sed -i '/version:/ s/"[^"][^"]*"/"'"$version"'"/' ../../nfpm.yaml | |
| nfpm package -f ../../nfpm.yaml -p deb -t .. | |
| nfpm package -f ../../nfpm.yaml -p rpm -t .. | |
| shell: bash | |
| - name: Set ownership of executables to root:root | |
| if: ${{ matrix.config.os != 'windows-latest' }} | |
| run: sudo chown -R root:root build | |
| - name: Packing release | |
| env: | |
| ARCHIVE_EXT: ${{ matrix.config.release_extension }} | |
| run: | | |
| cd build | |
| if [[ "${{ matrix.config.os }}" != "windows-latest" ]]; then | |
| sudo ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR | |
| else | |
| ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR | |
| fi | |
| shell: bash | |
| - name: Set ownership of tar archive to root:root | |
| if: ${{ matrix.config.os != 'windows-latest' }} | |
| run: sudo chown root:root build/"${DESTDIR}${ARCHIVE_EXT}" | |
| - name: Generate Hashes | |
| if: ${{ matrix.config.publish_release }} | |
| shell: bash | |
| id: hash | |
| run: | | |
| # sha256sum generates sha256 hash for all artifacts. | |
| # base64 -w0 encodes to base64 and outputs on a single line. | |
| # sha256sum artifact | base64 -w0 | |
| # NOTE: Using suggested method to generate sha across OS's from slsa documentation | |
| # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-artifacts-built-across-multiple-operating-systems | |
| set -euo pipefail | |
| (sha256sum -t ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }} || shasum -a 256 ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}) > checksum | |
| echo "hash-${{ matrix.config.release_name }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" | |
| - name: Uploading artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ format('{0}', matrix.config.release_name) }} | |
| path: | | |
| ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }} | |
| build/*.deb | |
| build/*.rpm | |
| - name: Publish release | |
| if: ${{ (startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/tags/test-ci')) && matrix.config.publish_release }} | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }} | |
| build/*.deb | |
| build/*.rpm | |
| # This step takes all the generated hashes from all build targets and combines them so slsa provenance step can run | |
| combine_hashes: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| outputs: | |
| hashes: ${{ steps.hashes.outputs.hashes }} | |
| env: | |
| HASHES: ${{ toJSON(needs.build.outputs) }} | |
| steps: | |
| - id: hashes | |
| run: | | |
| echo "$HASHES" | |
| echo "$HASHES" | jq -r '.[] | @base64d' | sed "/^$/d" > hashes.txt | |
| echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| # Generate the slsa provenance | |
| provenance: | |
| needs: [combine_hashes] | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" | |
| upload-assets: true # Optional: Upload to a new release |